interlock-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@interlock-mcpPropose to restart the web server with rolling update"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
interlock-mcp
A human-in-the-loop governance interlock for AI agents (MCP server). Agents propose changes; a human countersigns the exact plan; only then does it execute — stage by stage, precondition-checked against live state, verified, and audited. Bring your own executors.
An interlock is a safety mechanism that prevents an action until every required condition is engaged. Nothing here actuates unless the plan validates, a human countersigns those exact bytes, and the live preconditions still hold.
Why this exists
Most ways of letting an agent change real systems fall into two camps, and neither is safe enough for infrastructure:
Direct-execute tool servers (docker/shell/k8s MCPs) hand the model the keys — it plans and applies in one step. No review, no verification, no audit.
Synchronous human-in-the-loop (elicitation, approval dialogs) pauses a single tool call to ask right now, in-session. That doesn't fit changes a human should review out-of-band, minutes or hours later, from a different surface.
Interlock is the missing envelope: an asynchronous, hash-bound, human-countersigned, precondition-checked, verified, audited path from agent intent to real change. The agent never holds the keys; it holds a proposal.
Related MCP server: Cordum_io
The loop
agent interlock core human world
│ propose(body) │ │ │
├───────────────────────────▶│ validate (schema+invariants) │ │
│ │ hash (RFC-8785 JCS) │ │
│ plan_id ◀──────────┤ store as PROPOSED (held) │ │
│ │ │ │
│ │ review + countersign │ │
│ │◀──────────────────────────────┤ interlock approve
│ │ bind (schema_version, hash) │ │
│ execute(plan_id) │ │ │
├───────────────────────────▶│ re-validate + release gate │ │
│ │ per stage: │ │
│ │ ├ preconditions vs LIVE state│───probe──────▶│
│ │ ├ dispatch (adapter) ────────┼───execute────▶│
│ │ └ verify post-conditions ────│───probe──────▶│
│ result ◀───────────┤ halt-and-audit on any failure │ │
│ │ append to hash-chained audit │ │Guarantees
Hash-bound approval. An approval binds
(schema_version, plan_hash)to the exact bytes reviewed. Edit the body afterward and the approval is void (tamper-evident).One-shot & time-boxed. An approved plan runs once; a stale approval expires.
Fail-closed preconditions. A stage's preconditions are re-checked against live ground truth immediately before dispatch. Unmet — or unprobeable — halts with nothing dispatched.
Forward-only. On any failure it halts and records what committed; no surprise auto-rollback. Remediation is a new plan.
Tamper-evident audit. Every decision is appended to a hash-chained log;
interlock verify-auditdetects any edit, reorder, or drop.Reproducible hashing. RFC-8785 JCS over a YAML-1.2 value model — no
on/off→boolcoercion, no source-text hashing. Any re-implementation must reproduce the pinned vector.
Quickstart
pip install interlock-mcp # or: pip install "interlock-mcp[server]" for the MCP server
# run the dependency-free demo (propose -> approve -> execute -> verify a file write)
python examples/filesystem_demo.pyEmbed it in a few lines — implement two adapters for your world and the core does the rest:
from interlock.engine import Interlock
from interlock.policy import Policy, registry
from interlock.approval import FileStore
from interlock.audit import FileAuditSink
engine = Interlock(
policy=Policy(action_registry=registry(mutating=["restart_service"])),
store=FileStore("./plans"), audit=FileAuditSink("./audit.jsonl"),
executor=MyExecutor(), # .execute(action, params, target) -> ExecResult
prober=MyProber(), # .probe(check, probe) -> ProbeResult (read-only)
ttl_seconds=72 * 3600,
)The agent talks to the MCP server (propose_plan, get_plan, list_plans,
execute_plan). A human reviews on a separate channel:
interlock list --status proposed
interlock approve <plan_id> --by alice --reason "reviewed"
interlock verify-audit ./audit.jsonlSecurity model (in one sentence)
The proposer and the approver are different surfaces: the agent's MCP tools can
propose and execute, but cannot approve — approval is a human action on the CLI/admin
channel, so nothing the model can call flips a plan to approved. Details in
docs/THREAT-MODEL.md.
Concepts
Piece | What it is |
Plan | An envelope + a hashed |
Policy | Your deployment's domain knowledge: which actions mutate, which actions/targets are forbidden, what a secret looks like. Not baked into the schema. |
Invariants | Seven universal checks the validator enforces (schema, hash-recompute, unique ids + known actions, mutating→rollback, mutating→preconditions, no-forbidden, no-secrets). |
Adapters | Two small protocols — |
See docs/SCHEMA.md, docs/PROTOCOL.md, and
docs/THREAT-MODEL.md.
Status
Alpha (0.1). The deterministic core (hashing, schema, validator, precondition engine) and the approval/audit/executor layer are covered by an adversarial test suite. APIs may shift before 1.0. Issues and review welcome.
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Zigerus/interlock-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server